Context:
I’m running OpenWRT on my router, and I successfully configured StrongSwan for IKEv2 VPN. The VPN connection works fine, and I can connect without issues. However, I’m unable to route traffic from my LAN devices through the VPN (using a VTI interface).
I’ve tried several solutions, including adding NAT rules and routes, but nothing seems to work. At one point, I even lost internet connectivity completely and couldn’t reconnect to the VPN.
Current Configuration:
- IPsec Config (ipsec.conf):
conn ivpn
keyexchange=ikev2
keyingtries=%forever
dpdaction=restart
dpddelay=300s
inactivity=36000s
rekey=no
forceencaps=yes
authby=secret
ike=aes256-sha256-modp2048
esp=aes256-sha256
left=192.168.1.1
leftsourceip=%config
leftsendcert=always
leftauth=eap-mschapv2
rightfirewall=yes
rightauth=pubkey
right=se1.gw.ivpn.net
rightid=se1.gw.ivpn.net
rightsubnet=0.0.0.0/0
rightsendcert=always
eap_identity=zaza
auto=add
mark=42
leftupdown=/usr/libexec/ipsec/_updown_vti
- IPsec Secrets (ipsec.secrets):
ZAZA : EAP "PASS"
- **VTI Interface Creation (Custom Script /usr/libexec/ipsec/_updown_vti):**I created a script to handle the VTI interface:
#!/bin/sh
case "$PLUTO_VERB" in
up-client)
ip link add vti-vpn type vti local $PLUTO_INTERFACE remote $PLUTO_PEER
ip link set vti-vpn up
ip addr add 169.254.0.1/30 dev vti-vpn
ip route add 0.0.0.0/1 dev vti-vpn
ip route add 128.0.0.0/1 dev vti-vpn
;;
down-client)
ip link del vti-vpn
;;
esac
- Firewall Configuration (/etc/config/firewall):
config forwarding
option src 'lan'
option dest 'vpn'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'vpn'
- iptables NAT Rule (Added manually and in firewall.user):
iptables -t nat -A POSTROUTING -o ip_vti0 -j MASQUERADE
- Routing Table Before and After Adding Routes (Manually):
- Before adding routes manually:
ip route
default via 100.104.0.1 dev pppoe-wan proto static
100.104.0.1 dev pppoe-wan proto kernel scope link src ip adress
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
- After adding routes manually:
ip route add 0.0.0.0/1 dev ip_vti0
ip route add 128.0.0.0/1 dev ip_vti0
ip route
0.0.0.0/1 dev ip_vti0 scope link
default via 100.104.0.1 dev pppoe-wan proto static
100.104.0.1 dev pppoe-wan proto kernel scope link src ip adress
128.0.0.0/1 dev ip_vti0 scope link
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
- Issue After Reboot: After every reboot, the routes and NAT rules disappear, and I lose internet connectivity or I’m unable to reconnect to the VPN.
What I’ve Tried:
- I added the routes manually and via the script in
/etc/rc.local
and/etc/firewall.user
to ensure they persist after a reboot. - NAT rules were added to iptables manually, and I checked using
iptables -t nat -L -v
to ensure they exist. - VTI interface (ip_vti0) is up after I manually set it up, but LAN traffic is still not routing through the VPN.
- Checked routing and iptables NAT rules, but traffic still isn't being routed through the VPN after reboot.
- Firewall forwarding from LAN to VPN is set up correctly, but it doesn't seem to be routing traffic through the VPN.
- At one point, I lost connectivity completely and couldn’t reconnect to the VPN, so I had to reset some configurations.
Key Issue:
The VPN connection works fine, but the LAN traffic isn’t being routed through the VPN, and after every reboot, the routes and NAT rules disappear. I need a reliable method to:
- Route all LAN traffic through the VPN.
- Ensure the configuration persists after a reboot.
Request for Help:
Can someone provide a detailed guide or troubleshooting steps to ensure that LAN traffic is routed through the VPN on OpenWRT and that the routes/NAT persist after reboots? I feel like I might be missing something in the routing or firewall configuration.
Thanks in advance for your help!
Additional Info:
If needed, I can provide logs from logread | grep charon
and other diagnostics.